January 3rd, 2009

That is a very common error that users generally encounter when packages are being compiled. Though the log files mention something bizarre, this error can be resolved quite easily by running the following command:

$ sudo apt-get install build-essential

That would do for most cases. Many programs also require a compiler-compiler called ‘bison’. You may install that also by giving,

December 18th, 2008

Menu Bar is such a waste of screen real estate in web browsers. There was no inbuilt preference in opera that would enable me to hide or show menu bar with a single key toggle. Opera allows the users to customize its keyboard shortcuts to a great extent. So, here’s how you go about toggling the menu bar in opera.

December 6th, 2008

Have you had a tough time following a conversation on twitter? Only to find that a frustrated you had to wait until the last tweet in the thread was done and then you navigated through the replies backwards. Not anymore 😀

Visit http://www.aswinanand.com/twitter.html and give the last twitter ID in the whole conversation list & watch as the page gets populated with tweets in the order in which they were posted.

This was quickly hacked up in an hour & hence its kinda very rough. Kindly use this and give me feedback.

December 1st, 2008

Its a new linux based VPS service that lets you host your django, rails and other LAMP based apps with full root access to your VPS. Moreover, there are ready-to-deploy stacks for RoR, django and LAMP. Do check them out at http://www.webbynode.com.

As of now, what I feel lacking from their website are the number of technical articles. Just see how many Slicehost has and you will know. Guess they will surely follow up with more as they launch.

October 19th, 2008

Hello friends! Barcamp Chennai 2 was superb! It was 2 days of fun. What was surprising this time is the sheer number of new faces in the crowd and the number of non-tech sessions. The non-tech sessions were high this time, though the tech sessions were pretty basic ones. Lots of networking happened this time and I came across a really cool bunch of people with whom I will be in touch.

Day 1

Yesterday morning, I attended a session on Git, by Sreeni from ThoughtWorks. Its a source control system which was developed by Linus Torvalds. I recently signed up at GitHub to host the SMS Web Service program & this session was really very helpful in getting me started. Next session was intro to Ruby on Rails by Prakash from ThoughtWorks (this was in a different track). Most of the hall roared with laughter when one of the campers asked what the difference between Rails and Javascript. Hmm! With this question I came out of the hall and met Kausik, Bharadwaj, Moyeen, KAPP, Shyam and a few more guys. We were discussing about programming languages, mainly about python and various IDEs. I also struck a deal with Shyam to collaborate on an open source mobile project. More details about it will be available soon.

By the time we finished our discussion on the hallways, it was lunch time and we headed to Tiffanys. We ragged Moyeen 😀 about his GF and stuff. Moyeen is a good sport you see so we had a nice time. Post lunch, there was a session on linux kernel basics and then came the best session of the day.

It was on Open Street Maps by a final year engineering student named Arun Ganesh. Open Street Maps is a community effort to map out the whole world. A wikipedia of sort for mapping. Arun had done some seriously good tasks of mapping out Teynampet & sharing it with the post offices in his area to get it validated. He also pointed out that, where Google or Yahoo maps take a few years to map changes in locality, those changes are reflected relatively immediately on OSM. That’s mainly because of the volunteers who edit the maps on a day-to-day basis. Unlike Google or Yahoo maps, OSM allows you to change the underlying mapping data itself, which is pretty cool. When Arun showed the OSM website on his browser, someone asked what the software was The audience brought the ceiling down by laughing. I was pondering about building a mobile software for displaying OSM on Symbian mobiles. Interested anyone? I may start this in a couple of month’s time.

My session on the recent “Assign Categories” wordpress plugin was next. Response was good and I’m happy. After this, there was a session on web 2.0 (old stuff?) but then, myself and a few others used the law of two feet and discussed various other topics between cups of coffee. I also answered a few questions on my wordpress plugin during this time. Day 1 came to an end with this.

Day 2

Today was superb I should say. The first session was from Viru [viru {at} physicssociety {dot} com] about “Indian Education System Sucks”. The word ‘s**ks’ provoked the audience very much and what followed was very hot debate with a few solutions to the current problems. Solutions being that students should be allowed to ask questions and teachers should encourage that. Also, more amount of practicals should be introduced in the curriculum for understanding the subjects better rather than mugging up. I believe CBSE has solved part of the problem here. By making the syllabus huge, they have effectively discouraged students from mugging up & vomiting. So, to answer questions in the exams, they have to understand the subject well; else they flunk. There are lots of side effects to this. But we will discuss it some other time.

Second session was on “Global Financial Meltdown” by Syed, Sukumar and Ganesh (of Rupya). It was superb. Though I did follow the news on the financial meltdown, I learnt a lot from the discussion. One specific portion that still stays fresh is the news that India Inc. is spending Rupees 1 Lakh Crore to help the failing banks. They are buying stock at a discounted rate and imagine the returns when the meltdown ends! . There was also a small discussion on how it affects the IT industry. Software service companies have to be on watch was a view that was shared by everyone.

Post lunch, the talk was on “Disaster Management”. Since Mr. Mani, DSP of Police couldn’t turn up, it turned into a fun group discussion. The hall applauded when Sukumar advised the campers to take “good care” of our lives. Point well taken.

After this it was time for our discussion using the law of 2 feet & then it was time for Thomas’ session on “How to become an innovator”. Crux of the talk is that, you have to condition your mind in to thinking out of the box and he recommends the books written by Edward De Bono. Siddhi‘s session on creating a really good office space was enlightening as well. On the whole, Day 2 rocked and I learnt plenty of things today.

Wifi

Wifi sucked Most of the time, it didn’t connect. Wifi Gurus are most welcome to share gyan on how to setup a reliable wifi for (un)conferences. May be this would have been a great session at Barcamp.

Photos

Please search for BCC2 or BarcampChennai on Flickr and other places.

Crowd size was optimum this time, which made the sessions all the more interactive. Were you there and I missed talking to you? If so, please drop a comment and I will get back in touch with you. Thanks!

October 18th, 2008

Yay! barcamp chennai second edition is happening today and tomorrow at IIT Madras in the IC & SR auditorium. The previous barcamp was truly awesome and I sincerely hope, this one will also meet the expectations. There are lots of interesting talks lined up and whats even more interesting is that, there are lots of new faces this time 😀

We are also planning for an all-night code camp for tonight. If its happening, I will post more details about it here. If you are attending, do let me know. I will be around. For more details about barcamp, check out http://barcampchennai.org/.

If you are taking pics/videos/tweeting about the event, use the tag “BCC2”. That would make it easier to search and find the relevant pics, blog posts and videos.

October 14th, 2008

Here’s a cool new wordpress plugin that allows you to assign one or more categories to multiple posts in a single shot, with or without preserving existing categories.

This plugin will be very useful when you are migrating to your own wordpress blog, hosted on your domain. The default wordpress functionality is that, you can assign new categories to posts only by editing each post and changing the category assigned to it. So, if you have a large number of posts, then it will be a nightmare.

Enter this plugin.

With this plugin, assigning multiple categories to one or more posts is a breeze. Pop the plugin’s PHP file to your wordpress plugin directory, activate it and click on “Assign Categories” under the Manage menu. The page will show the list of available categories, followed by the available blog posts. You can select the categories, select the required posts and then click on “Assign Categories” at the bottom of the page. Now, all your posts will be assigned the new categories.

October 2nd, 2008

Microsoft Research (MSR) India conducted TechVista yesterday, a symposium by MSR to showcase some of the hottest research that’s been happening. The talks were interesting and so were the posters presented by various students from top notch colleges, some of whose research is sponsored by Microsoft.

After the usual keynote, the real talk began by 10.45 AM. The talk was about the “Future of Computing” by Dr. John Hopcroft. It was a very insightful talk with details about ‘the cloud’ that I could relate to; and also about information storing and retrieval in digital form. The next talk was by Dr. Richard Szeliski about “Weaving the World’s Photos”. This talk was more about Photosynth and the technology and algorithms that go behind it. The talk was simply awesome; especially the place when they mentioned about the SIFT and RANSAC algorithms. SIFT determines similar points in 2 photos taken from different angles while RANSAC is able to stitch those points together and form a 3D model of the image. Considering the fact there are 1000s of photos online for a popular place (E.g. Taj Mahal), with photos taken from different angles, the SIFT and RANSAC algorithms brings about the 3D model of the place. Then these points are optimized and the resulting images are stitched together. When pictures are more detailed and where users have tagged those details, these pictures are used when users zoom in and zoom out of the 3D model. It also removes all the “noise” from the photographs and gives an almost seamless 3D experience.

The next talk I attended was by Dr. Shafi Goldwasser about program obfuscation and one-time programs. I could related to this talk because of my very recent experiment 😀 and paid full attention to this talk. I was smiling when one of her slides contained the last paragraph of this blog post from YUI blog. Many points in her slide were eye-opening such as ROKs and the slides that said where obfuscation fails.

It was lunch now. Somehow, most of these conferences mangle up lunch so badly that we want to give out a blood curdling yell. As soon as the morning session talks were over, myself and a few guys walked over to the Professors and were asking them a few doubts. By the time we went for lunch, most of the good dishes were over. So were the desserts

The talk immediately after lunch was some marketing blah blah about MSR that was putting me to sound sleep. I woke up and went to the poster presentations to check out what the Ph.D students had done. Some of the posters were really cool! I liked the ones on “Understanding the dynamics behind evolution of stable peer-to-peer networks” by Bivas Mitra from IIT-KGP, “Secure Distributed Computation and Communication” by Arpita and Ashish from IITM and PULRP by Deepthi and Kannan from IITB. It was about an hour by the time I finished looking through the posters. With my sleep vanished, I headed to main hall again to check out the next talk.

This talk was about “Computational Camers” by Dr. Shree K Nayar. It was just awesome! When I was college, I did a paper on Digital Image Processing and almost cried because of the complex equations All of those were coming back in my head when this talk was going on. May be if I had known earlier, I would have applied for MSR as soon as I had passed out.

With this talk getting over, one of my friends who was a finalist of my batch’s MSAPP had come to the venue. Just as myself, Dhaval and Subhamoy were getting intro’d to him, we delved deep into quantum and relative physics, with a bit of astronomy thrown in. That twisted my brain in some crazy ways. Our discussion happened for more than 2 hours and I learnt a lot more from this discussion than from the ones that were happening inside at this time.

Oh! while I was talking to Subhamoy, he casually mentioned this story. His mobile had fallen in water & when he switched it on, it got short circuited. So, he removed the panels, took the mobile circuit to this lab, found the short circuits and resoldered everything again in their proper places. He is still using that same phone. THAT WAS AWESOME!

All-in-all, it was a day spent very well 😀 I enjoyed every moment to the core.

September 27th, 2008

ICICI Bank’s iMobile website has some of the worst server side validations ever, which is what prompted me to download the mobile app’s JAR file, study it in detail and write this post. According to the website, until the Reserve Bank of India comes out with mobile banking guidelines and approves it, mobile banking is supposed to be halted. Technically, it means that, all existing users shouldn’t be able to use the service what-so-ever and new user signups should be prevented & a notification stating that they should retry later should be shown.

Therefore, in this scenario, I shouldn’t have been able to download the app to my mobile device. The website of ICICI fails in not enforcing this by providing the following ways:

The actual iMobile website has some stupid javascript validation, which is very easy to bypass using modern browsers. Heck, just by browsing the HTML source code of the page, you will be able to easily find the URL for the application JAR files. Put 2 and 2 together and you will be able to download the app.

Which brings me to explain Step 2 in detail:

On any browser, go to View->Source. This will display the source code of the rendered HTML page. Notice the first <script> tag. It contains many functions & the most important functions to us are “submitForm” and “displayOption”. The line of interest in submitForm method is document.jump1.action="https://infinity.icicibank.co.in/web/apps/"+fileName;. That line pretty much gives away everything. All you have to do is, navigate to the above mentioned URL and append a filename to it for download.

What filename do you have to give and How?

That’s where our displayOption function is very useful. That function contains a set of simple If-Else conditional statements, which have the respective filenames. For e.g. if you want to download “M20P1520ALL1.jar”, then just append it to the URL & access it using the address bar. Therefore, the URL becomes https://infinity.icicibank.co.in/web/apps/M20P1520ALL1.jar Being a JAR file, most browsers will display a “Save As” dialog box. Now, just download the file and transfer it to your mobile. The application is fairly straight forward.

Where ICICI Bank failed?

They should have disabled the link mentioned in #1 above and replaced it with some text that says, “RBI mobile banking guidelines blah blah…”. But some clever users will bookmark the link to the JAR file and try to access the JAR file by bypassing the link itself. When they do that, the web server should return a “404 – Resource Not Found” error. Got it? Implementing this is pretty simple.

There shouldn’t have been such a lot of useless javascript on the page. Firstly, they should have removed the device selection drop down box. Secondly, they should have replaced this page with an alternative. Thirdly, this mobile banking link should have been removed in the home page itself. Fourthly, they should have validated on the server for JAR file downloads and should have displayed the “404 – Resource Not Found” error page.

Ok. Leave aside #1 and #2. At least the mobile app should have thrown soft errors when users try to access mobile banking from the JavaME app. Any bank would store all activity data for a certain period of time. So when you access the bank’s service from a mobile device, the server software surely knows about it, which means, the server software should have returned errors to the user instead of allowing the user to do transactions.

There’s one more bug in the app itself. When you launch the app, it will prompt you to sync the data on the device to its servers for faster access the next time. When you click “OK” to synchronize, it will wait for a few minutes and show a message as, “There is no data to synchronize”. When you proceed further and try to access your info, it will again prompt you to sync the data. That’s frustrating. Either you should sync the data properly or you should access the server every time over a secure channel. As simple as that. That’s not followed too.

For me, all these things imply only thing. ICICI wants the existing users to continue using the app, thereby disobeying RBI’s orders or they are having some really bad programmers who don’t know the stuff they are doing. At a time when people fear about Google tracking their internet usage, this is MY/YOUR FINANCIAL INFORMATION, which is at risk Right?

That was a long post already We still have some more to go. Lets take a break.

Back? Ok 😀 Now, lets dissect the actual JAR file and look into the technical details of its implementation.

The Manifest File:

Rename the .JAR extension to .ZIP extension and extract it to your favourite folder. Open the “META-INF” folder and open the “MANIFEST.MF” file in a text editor. As you will note, it contains lots of very valuable information, especially the socket URLs of various mobile service providers. User agent is also very interesting. When sending HTTP requests through the application, it uses that property for setting the “user-agent” HTTP header. They also have debug strings enabled, which means by snoping around using a good file manager for your mobile, you will be able to get technical errors! thereby, letting us know how the app works itself, what requests it sends, its behaviour etc.

Another important item is, “MIDlet-Name” property in the manifest. This property determines what name the user sees after he installs the app on his mobile. Using the same name, when future upgrades are made available, the app is just replaced in place of the old one, which means, if you modify the “MIDlet-Name” property and install the app again, you will have 2 copies of the same app. THIS SHOULD NEVER BE ALLOWED FOR A HIGHLY CRITICAL FINANCIAL APPLICATION. Isn’t it? As an example, try changing the MIDlet-Name of the Yahoo! Go JAR file and try to install the app again on your mobile. My E51 shows an “Invalid JAR” error message because of MD5 sum checks etc.

Some more Holes:

Now, move back to the folder where the JAR file has been extracted. It contains a bunch of .class files. Pass it through a decompiler. You will get “perfect” java source code files. The code looks obfuscated. But its not obfuscated enough. Anybody will be able to make good sense from the source code. All the URLs, all the used strings and everything else will be clearly visible. By using the app on your mobile side-by-side, you will be easily able to go through the source code. All in all, I wouldn’t use this app anymore until the security measures are tighter.

What should the bank do here?

Shouldn’t allow the installation of 2 apps of the same JAR with different names. Take this example of the Yahoo! Go JAR file.

I guess these mobile providers’ socket URLs are used for a one time basis to send verification SMS. If that be the case, they shouldn’t be present in the manifest file for a variety of reasons that I won’t discuss here.

There’s an interesting property named “WSCDomainName” in the manifest file. I guess it expands to “Web Service Client Domain Name”, though I’m not sure about it. Suggestion: Encrypt the name value pairs.

Most importantly, sign the application using the Java Signed program. C’mon, users are doing financial transactions and a signed app will increase their confidence of using this application.

Suggestion for Users:

Users should install these kinds of apps on their mobile’s inbuilt memory, instead of the memory card. That is, when you connect your phone to the PC in thumb drive mode, all the RMS file stores for the mobile app are clearly visible. There are many decoders available on the internet that can read content from the RMS file stores. When you store this app on your mobile’s inbuilt memory, you can’t read those stores directly and there are a number of checks in place, that prevent reading it.

Thats about it !

Of course, this blog post can’t be termed as a full fledged security analysis. But most of what has been ignored by the bank are mere basics. They must have more secure systems in place.

If you liked this article, kindly do me a favour by digging it. Thanks for your time.

July 17th, 2008

Hi friends, if you are in India and if you are developing software prototypes which has to send SMS alerts to various Indian mobile numbers, you needn’t spend a lot to buy SMS credits at the various sites. Over the last weekend, I spent some time hacking up a quick SOAP based web service which you can consume in your programs.

Please note that you need to create an account at www.way2sms.com before proceeding further.

Let us assume that you wish to run the service at http://www.example.com/sms/sendsms.php. Here, http://www.example.com/ is your domain, “sms” is the folder and “sendsms.php” is the PHP script in that folder.

Hence, using FTP or SSH, login to your domain hosting space and create a folder named “sms”.

Extract the source code to the “sms” folder. If you don’t want to expose a SOAP WSDL, feel free to skip to step 6.